Event ID 24624 — BitLocker Encryption and Decryption

Applies To: Windows Server 2008

Whenever the operating system or an application attempts to read from or write to a BitLocker-protected volume, the BitLocker filter driver must decrypt or encrypt data in real time, sector by sector. The filter driver writes event log information when it encounters problems, even if the problem is corrected with an automatic retry of the operation.

Event Details

Product: Windows Operating System
ID: 24624
Source: Microsoft-Windows-BitLocker-Driver
Version: 6.0
Symbolic Name: FVE_MOR_BIT_SET_ERROR
Message: BIOS/TCG Memory Overwrite Control: Error changing value %2.

Resolve

Confirm system compatibility, revert BIOS, or update BIOS

Normally, the Windows operating system holds the BitLocker volume encryption keys and other sensitive data in memory. If the computer is restarted without having been fully shut down, this information may still be present in memory. During the normal restart process, the operating system ensures the removal of this information by overwriting the memory space.

If the system restarted without the operating system having the chance to overwrite memory, the memory must be erased by the system BIOS early in the boot process--before any malicious software components could access memory and retrieve keys.

A special non-volatile bit called the Memory Overwrite Request (MOR) bit is used to tell the BIOS that the system memory should be erased early in the boot process. The operating system sets this bit before placing sensitive information in memory and clears the bit during normal shutdown after the sensitive information has been cleared from memory.

The MOR bit is used only in computer systems with a Trusted Platform Module (TPM). Memory will only be cleared by the BIOS if the MOR bit is set and if ownership for the TPM has been taken.

The correct operation of this process depends on a system BIOS that is fully compatible with this version of Windows and the BitLocker Drive Encryption feature.

To resolve this condition, first confrm that your system is certified as compatible with this version of Windows. If your BIOS has recently been updated, you may need to revert to an earlier version. If the manufacturer of your computer system has made a new BIOS version available, you may need to update the computer system BIOS.

Confirm that your computer is certified as compatible with Windows BitLocker Drive Encryption

To confirm that your computer is certified as compatible with Windows BitLocker Drive Encryption:

  1. See Windows Vista Hardware Compatibility List (https://go.microsoft.com/fwlink/?LinkId=104414) and check whether the computer system is certified to be compatible with Windows Vista.
  2. If your computer system is not certified as compatible with this version of Windows, you may not be able to use all of the features included with Windows, such as BitLocker Drive Encryption. Contact your hardware supplier or hardware support team to see if upgrades or alternatives are available.

Revert the computer BIOS

To revert the computer BIOS:

  1. If your computer BIOS or firmware was recently updated, check with your computer hardware supplier or hardware support team to determine whether the update supports the MOR bit.
  2. If not, follow the instructions provided by your computer hardware supplier to revert to the previous BIOS.

Update the computer BIOS

To update the computer BIOS:

  1. Check with your computer hardware supplier to determine whether an updated BIOS is available that supports the MOR bit.
  2. If so, follow the computer hardware supplier instructions for installing the updated BIOS.

Verify

To verify the correct operation of BitLocker encryption and decryption, read data from and write data to an encrypted volume. The read and write should occur without error.

Caution: We strongly recommend that all important data be backed up regularly.

BitLocker Encryption and Decryption

Core Security